On Mon, Nov 29, 2021 at 03:42:18PM +0100, Florian Westphal wrote: > If destination port is above 32k and source port below 16k > assume this might cause 'port shadowing' where a 'new' inbound > connection matches an existing one, e.g. > > inbound X:41234 -> Y:53 matches existing conntrack entry > Z:53 -> X:4123, where Z got natted to X. > > In this case, new packet is natted to Z:53 which is likely > unwanted. > > We could avoid the rewrite for connections that are not being forwarded, > but get_unique_tuple() and the callers don't propagate the required hook > information for this. Probably you can scratch a bit to store in the struct nf_conn object if this is locally generated flows? Thanks
